1247 - Modified TokenRevocationListener to use the backend + Added ITs

Author: Mario

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/event/TokenRevocationRequestEventListener.java

@@ -15,17 +15,28 @@
  */
 package com.stormpath.sdk.servlet.event;
 
+import com.stormpath.sdk.application.Application;
 import com.stormpath.sdk.client.Client;
 import com.stormpath.sdk.impl.ds.InternalDataStore;
+import com.stormpath.sdk.impl.error.DefaultError;
+import com.stormpath.sdk.lang.Strings;
 import com.stormpath.sdk.oauth.AccessToken;
+import com.stormpath.sdk.oauth.OAuthRequests;
+import com.stormpath.sdk.oauth.OAuthRevocationRequest;
+import com.stormpath.sdk.oauth.OAuthRevocationRequestBuilder;
+import com.stormpath.sdk.oauth.OAuthTokenRevocators;
 import com.stormpath.sdk.oauth.RefreshToken;
+import com.stormpath.sdk.oauth.TokenTypeHint;
 import com.stormpath.sdk.resource.ResourceException;
 import com.stormpath.sdk.servlet.account.event.RegisteredAccountRequestEvent;
 import com.stormpath.sdk.servlet.account.event.VerifiedAccountRequestEvent;
+import com.stormpath.sdk.servlet.application.ApplicationResolver;
 import com.stormpath.sdk.servlet.authc.FailedAuthenticationRequestEvent;
 import com.stormpath.sdk.servlet.authc.LogoutRequestEvent;
 import com.stormpath.sdk.servlet.authc.SuccessfulAuthenticationRequestEvent;
 import com.stormpath.sdk.servlet.client.ClientResolver;
+import com.stormpath.sdk.servlet.filter.oauth.OAuthErrorCode;
+import com.stormpath.sdk.servlet.filter.oauth.OAuthException;
 import com.stormpath.sdk.servlet.http.CookieResolver;
 import com.stormpath.sdk.servlet.oauth.impl.JwtTokenSigningKeyResolver;
 import io.jsonwebtoken.Claims;
@@ -37,6 +48,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.servlet.http.HttpServletRequest;
 import java.security.Key;
 import java.util.LinkedHashMap;
 import java.util.Map;
@@ -51,9 +63,7 @@ public class TokenRevocationRequestEventListener implements RequestEventListener
     private final TokenExtractor tokenExtractor = new BearerHeaderTokenExtractor();
     private final CookieResolver accessTokenCookieResolver = new CookieResolver("access_token");
 
-    private final JwtTokenSigningKeyResolver jwtTokenSigningKeyResolver = new JwtTokenSigningKeyResolver();
-
-    private Client client = null;
+    protected ApplicationResolver applicationResolver = ApplicationResolver.INSTANCE;
 
     @Override
     public void on(SuccessfulAuthenticationRequestEvent event) {
@@ -78,30 +88,17 @@ public void on(VerifiedAccountRequestEvent event) {
     @Override
     public void on(LogoutRequestEvent event) {
         String jwt = getJwtFromLogoutRequestEvent(event);
-        if (jwt != null) {
-            if (this.client == null) {
-                this.client = ClientResolver.INSTANCE.getClient(event.getRequest()); //will throw if not found
-            }
-
-            Key signingKey = jwtTokenSigningKeyResolver.getSigningKey(event.getRequest(), event.getResponse(), null, SignatureAlgorithm.HS256);
-            JwsHeader header = Jwts.parser().setSigningKey(signingKey.getEncoded()).parseClaimsJws(jwt).getHeader();
-            Claims claims = Jwts.parser().setSigningKey(signingKey.getEncoded()).parseClaimsJws(jwt).getBody();
-
-            //Let's be sure this jwt is actually an access token otherwise we will have an error when trying to retrieve
-            //a resource (in order to delete it) that actually is not what we expect
-            if (isAccessToken(header)) {
-                gracefullyDeleteRefreshToken((String) claims.get("rti"));
-                gracefullyDeleteAccessToken(claims.getId());
+        HttpServletRequest request = event.getRequest();
+        Application application = applicationResolver.getApplication(request);
+        if (application != null && jwt != null) {
+            try {
+                OAuthRevocationRequest revocationRequest = OAuthRequests.OAUTH_TOKEN_REVOCATION_REQUEST.builder().setToken(jwt).build();
+                OAuthTokenRevocators.OAUTH_TOKEN_REVOCATOR.forApplication(application).revoke(revocationRequest);
+            } catch (ResourceException e) {
+                com.stormpath.sdk.error.Error error = e.getStormpathError();
+                String message = error.getMessage();
+                log.warn("There was an error trying to revoke a token", message);
             }
-            //There should never be a refresh token here. Therefore we will not even try to identify if the received JWT is
-            //a refresh token. That would be a bug in the filter chain as a refresh token should never be used to anything other than
-            //obtaining a new access token
-
-            //Fix for https://github.com/stormpath/stormpath-sdk-java/issues/611
-            log.debug(
-                "The current access and refresh tokens for '{}' have been revoked.",
-                (event.getAccount() != null) ? event.getAccount().getEmail() : "unknown user"
-            );
         }
     }
 
@@ -117,34 +114,4 @@ protected String getJwtFromLogoutRequestEvent(LogoutRequestEvent event) {
         return jwt;
     }
 
-    private boolean isAccessToken(JwsHeader header) {
-        return header.get("stt").equals("access");
-    }
-
-    private void gracefullyDeleteAccessToken(String accessTokenId) {
-        try {
-            String href = "/accessTokens/" + accessTokenId;
-            Map<String, Object> map = new LinkedHashMap<String, Object>();
-            map.put("href", href);
-            AccessToken accessToken = ((InternalDataStore)client.getDataStore()).instantiate(AccessToken.class, map, true);
-            accessToken.delete();
-        } catch (ResourceException e) {
-            //Let's prevent an error to allow the flow to continue
-            log.warn("There was an error trying to delete access token with ID {}", accessTokenId, e);
-        }
-    }
-
-    private void gracefullyDeleteRefreshToken(String refreshTokenId) {
-        try{
-            String href =  "/refreshTokens/" + refreshTokenId;
-            Map<String, Object> map = new LinkedHashMap<String, Object>();
-            map.put("href", href);
-            RefreshToken refreshToken = ((InternalDataStore)client.getDataStore()).instantiate(RefreshToken.class, map, true);
-            refreshToken.delete();
-        } catch (ResourceException e) {
-            //Let's prevent an error to allow the flow to continue, this component is basically a listener that tries to delete
-            //the current access and refresh tokens on logout, we will only post this error in the log
-            log.warn("There was an error trying to delete refresh token with ID {}", refreshTokenId, e);
-        }
-    }
 }

extensions/spring/boot/stormpath-spring-security-webmvc-spring-boot-starter/src/test/groovy/com/stormpath/spring/boot/autoconfigure/StormpathWebSecurityAutoConfigurationIT.groovy

@@ -232,8 +232,9 @@ class StormpathWebSecurityAutoConfigurationIT extends AbstractTestNGSpringContex
         def accessToken = result.getAccessToken()
 
         expect(httpServletRequest.getHeader("Authorization")).andReturn("Bearer " + accessToken.getJwt())
-        expect(httpServletRequest.getServletContext()).andReturn(servletContext).times(2)
-        expect(servletContext.getAttribute("com.stormpath.sdk.client.Client")).andReturn(client).times(2)
+        //expect(httpServletRequest.getServletContext()).andReturn(servletContext).times(2)
+        expect(httpServletRequest.getAttribute(Application.class.getName())).andReturn(application).times(1)
+        //expect(servletContext.getAttribute("com.stormpath.sdk.client.Client")).andReturn(client).times(2)
 
         replay(httpServletRequest, httpServletResponse, servletContext)
 
@@ -243,7 +244,7 @@ class StormpathWebSecurityAutoConfigurationIT extends AbstractTestNGSpringContex
         def logoutRequestEvent = new DefaultLogoutRequestEvent(httpServletRequest, httpServletResponse, account)
         requestEventPublisher.publish(logoutRequestEvent)
         Assert.isTrue(account.getAccessTokens().getSize() == 0)
-        Assert.isTrue(account.getRefreshTokens().getSize() == 0)
+        Assert.isTrue(account.getRefreshTokens().getSize() == 1)
 
         verify(httpServletRequest, httpServletResponse, servletContext)
     }

extensions/spring/stormpath-spring-security-webmvc/src/test/groovy/com/stormpath/spring/config/CorsFilterIT.groovy

@@ -18,9 +18,7 @@ package com.stormpath.spring.config
 import com.stormpath.sdk.account.Account
 import com.stormpath.sdk.account.Accounts
 import com.stormpath.sdk.application.Application
-import com.stormpath.sdk.application.Applications
 import com.stormpath.sdk.client.Client
-import com.stormpath.sdk.directory.Directories
 import com.stormpath.sdk.directory.Directory
 import com.stormpath.sdk.lang.Strings
 import org.springframework.beans.factory.annotation.Autowired

extensions/spring/stormpath-spring-security-webmvc/src/test/groovy/com/stormpath/spring/config/MinimalStormpathSpringSecurityWebMvcConfigurationIT.groovy

@@ -20,8 +20,11 @@ import com.stormpath.sdk.api.ApiKey
 import com.stormpath.sdk.cache.CacheManager
 import com.stormpath.sdk.lang.Assert
 import com.stormpath.sdk.oauth.Authenticators
+import com.stormpath.sdk.oauth.OAuthBearerRequestAuthentication
 import com.stormpath.sdk.oauth.OAuthPasswordGrantRequestAuthentication
+import com.stormpath.sdk.oauth.OAuthRequestAuthenticationResult
 import com.stormpath.sdk.oauth.OAuthRequests
+import com.stormpath.sdk.resource.ResourceException
 import com.stormpath.sdk.servlet.authc.impl.DefaultLogoutRequestEvent
 import com.stormpath.sdk.servlet.csrf.CsrfTokenManager
 import com.stormpath.sdk.servlet.csrf.DefaultCsrfTokenManager
@@ -66,6 +69,7 @@ import static org.easymock.EasyMock.*
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post
 import static org.testng.Assert.*
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
 
 /**
  * @since 1.0.RC5
@@ -274,6 +278,46 @@ class MinimalStormpathSpringSecurityWebMvcConfigurationIT extends AbstractClient
         SecurityContextHolder.clearContext()
     }
 
+    /**
+     * @since 1.5.0
+     */
+    @Test
+    void testOauthRevokeEndpoint() {
+
+        String password = "Changeme1!"
+        Account account = createTempAccount(password)
+
+        //Let's create the tokes
+        OAuthPasswordGrantRequestAuthentication createRequest = OAuthRequests.OAUTH_PASSWORD_GRANT_REQUEST.builder().setLogin(account.getEmail()).setPassword(password).build();
+        OAuthRequestAuthenticationResult result = Authenticators.OAUTH_PASSWORD_GRANT_REQUEST_AUTHENTICATOR.forApplication(application).authenticate(createRequest)
+
+        String jwt = result.getAccessToken().getJwt()
+
+        //Authenticate with access token
+        OAuthBearerRequestAuthentication authRequest = OAuthRequests.OAUTH_BEARER_REQUEST.builder().setJwt(jwt).build()
+        def bearerResult = Authenticators.OAUTH_BEARER_REQUEST_AUTHENTICATOR.forApplication(application).authenticate(authRequest)
+
+        assertTrue(bearerResult.getAccount().getEmail().equals(account.getEmail()))
+
+        //Let's revoke the tokens
+        mvc.perform(post(new URI("/oauth/revoke"))
+                    .contentType(org.springframework.http.MediaType.APPLICATION_FORM_URLENCODED_VALUE)
+                    .content("token="+jwt)
+        ).andExpect(status().is(HttpServletResponse.SC_OK)) //200
+
+        // Authentication with the token should fail now since we have just revoked it
+        authRequest = OAuthRequests.OAUTH_BEARER_REQUEST.builder().setJwt(jwt).build()
+        try {
+            Authenticators.OAUTH_BEARER_REQUEST_AUTHENTICATOR.forApplication(application).authenticate(authRequest)
+            fail("should have thrown")
+        } catch (ResourceException e) {
+            //this exceptions is expected
+            assertEquals(e.getStatus(), 404)
+            assertEquals(e.getCode(), 10013)
+        }
+    }
+
+
     /**
      * @return true if the user has one of the specified roles.
      */